[dev] Application Permissions (was Re: appLinks() and Re: Aboutpermissions)

[Hans Lellelid]

> Do you think this would be possible? I think that this will bend
things
> awfully. My thoughts are going in the direction of defining different
user
> levels e.g. NO_USER, GUEST, USER, ADMIN and leave room in between for
> applications to use. I didn't investigate whether the Perms class
could be
> extended to provide for something like this as well. The current
> permissions
> define access to objects where what I would like to have is something
to
> define access to functions/pages.

Yes -- I had a similar run-in w/ Horde permissions system not that long
ago.  The lack of a "role" concept and the use of the Category driver
forced me to write my own Perms/Group implementation. 

You could use Group for roles, but the fit isn't great -- especially if
you need both groups and roles :) I needed both ROLES and PROJECTS (and
couldn't use Group for both).  In the end I implemented a system where
people become a member of a group with a bitmask of qualifications.

I.e. I am a member of Group "Project A" with access _PERMS_READ |
_PERMS_EDIT | _PERMS_DELETE .

In a role-based approach, I would have instead created a preset number
of different combinations of the permission bits that I could choose
when adding a user to a group (group=project in my case).

Also, Horde's Category driver didn't suffice for the pretty complex
user/group queries I needed to perform.  E.g. finding all groups that a
user belongs to was way too inefficient -- not to mention needing to
find all the users who shared group membership with a specified user :)

I think some changes to Perms system could probably address some of
these issues (?)  I don't know what exactly -- my needs were obviously
pretty specific, but I think there is definitely room for better support
of "roles" in Horde.

Hans